Articles

Nmap Vuln Scripts: Detect Common CVEs with NSE (2026)

April 18, 2026 4 min read

Nmap’s scripting engine (NSE) can actually detect vulnerabilities by running specialized scripts, not just by port scanning.

Let’s see how Nmap can find CVE-2023-1234 on a web server. We’ll assume the vulnerable service is running on port 80.

nmap -p 80 --script vuln,http-vuln <target_IP> -oN nmap_vuln_scan.txt

Here’s what’s happening:

  • -p 80: We’re specifically targeting port 80, where we suspect the web server is running.
  • --script vuln,http-vuln: This tells Nmap to run all scripts categorized as vuln (general vulnerability detection) and http-vuln (HTTP-specific vulnerability detection). Nmap has a vast library of these scripts.
  • <target_IP>: Replace this with the IP address of the machine you’re scanning.
  • -oN nmap_vuln_scan.txt: This saves the output to a file named nmap_vuln_scan.txt for easier review.

After running this, you might see output like this, indicating a potential vulnerability:

Nmap scan report for 192.168.1.100
Host is up (0.0020s latency).

PORT   STATE SERVICE
80/tcp open  http

Host script results:
| http-vuln:
|   CVE:CVE-2023-1234:
|     State: VULNERABLE
|     Disclosure Date: 2023-01-15
|     Description: A buffer overflow vulnerability exists in the XYZ component of the web server.
|     Impact: Remote attackers can execute arbitrary code by sending a specially crafted request.
|     References:
|       http://www.example.com/advisories/CVE-2023-1234
|       https://nvd.nist.gov/vuln/detail/CVE-2023-1234
|     Exploit Due: 2023-03-01
|     Method: GET request
|     Risk Factor: High
|     Severity: Medium
|     Port: 80
|     Service: http
|_    URI: /vulnerable_path

This output tells us that the http-vuln script detected a vulnerability matching CVE-2023-1234. It provides details like the disclosure date, a description of the vulnerability, the potential impact, and references.

How it works internally:

NSE scripts are written in Lua. When you invoke --script vuln, Nmap loads and executes scripts tagged with vuln. These scripts are designed to probe for known weaknesses. For http-vuln, the scripts send specific HTTP requests that are known to trigger vulnerabilities in certain web server software or configurations. If the server responds in a way that indicates the vulnerability is present (e.g., a specific error message, an unexpected response size, or a crash), the script reports it.

Common CVEs and their detection:

  • Heartbleed (CVE-2014-0160): The ssl-heartbleed script checks for the Heartbleed vulnerability in OpenSSL. It sends a malformed heartbeat request. If the server returns more data than requested, it’s vulnerable.
    nmap -p 443 --script ssl-heartbleed <target_IP>
  • Shellshock (CVE-2014-6271): The http-shellshock script tests for the Shellshock vulnerability in CGI scripts. It sends an HTTP request with a specially crafted User-Agent header. If the server executes the embedded bash command, it’s vulnerable.
    nmap -p 80 --script http-shellshock <target_IP>
  • Apache Struts RCE (CVE-2017-5638): The http-vuln-cve2017-5638 script targets the Apache Struts vulnerability. It sends a request with a malicious Content-Type header. A successful exploit attempt will result in a server error or a specific response indicating vulnerability.
    nmap -p 80 --script http-vuln-cve2017-5638 <target_IP>
  • Jenkins RCE (CVE-2017-1000353): The jenkins-enum script, while primarily for enumeration, can indirectly indicate vulnerabilities if it successfully accesses sensitive information or performs actions that shouldn’t be possible without authentication. For specific RCE detection, you might need more targeted scripts or manual testing.
    nmap -p 8080 --script jenkins-enum <target_IP>
  • Log4j RCE (CVE-2021-44228): Nmap has scripts like http-log4j-disclosure that attempt to trigger the Log4Shell vulnerability by sending requests containing JNDI lookups. The script checks for specific responses that indicate successful exploitation.
    nmap -p 80,443,8080 --script http-log4j-disclosure <target_IP>

Important Considerations:

  • False Positives/Negatives: NSE scripts are heuristic. They can sometimes report a vulnerability that isn’t actually exploitable (false positive) or miss one that is present (false negative). Always verify findings with other tools or manual testing.
  • Script Updates: The vulnerability landscape changes rapidly. Ensure your Nmap installation is up-to-date to have the latest NSE scripts. You can update them with nmap --script-update.
  • Performance: Running the vuln category can be time-consuming as it triggers a large number of scripts. Be patient, especially on large networks.
  • Permissions: Some scripts may require root privileges to run effectively, particularly those that interact with raw sockets or perform low-level network operations.

The output of these scripts is often detailed, providing not just the CVE ID but also a description, references, and sometimes even the specific URI or parameter that was targeted. This makes them incredibly useful for initial vulnerability assessments.

Once you’ve addressed the detected CVEs, the next step in your security assessment would be to look for other types of misconfigurations or weaknesses that NSE scripts can identify, such as weak credentials or exposed sensitive information, which you might find by running --script default,discovery.

Want structured learning?

Take the full Nmap course →